IPv6 Destination Guard

The IPv6 Destination Guard feature works with IPv6
neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link. It relies on the address glean functionality to
populate all destinations active on the link into the binding table
and then blocks resolutions before they happen when the
destination is not found in the binding table.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for IPv6 Destination Guard

You should be familiar with the IPv6 Neighbor Discovery feature. For information about IPv6 neighbor discovery, see the “Implementing IPv6 Addressing and Basic Connectivity” module.

You should be familiar with the IPv6 First-Hop Security Binding Table feature. For information, see the “IPv6 First-Hop Security Binding Table” module.

Information About IPv6 Destination Guard

IPv6 Destination Guard Overview

The IPv6 Destination Guard feature works with IPv6 neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link. It relies on the address glean functionality to populate all destinations active on the link into the binding table and then blocks resolutions before they happen when the destination is not found in the binding table.

Prior to filtering incoming routed traffic, the device gleans addresses on the link, by
snooping Neighbor Discovery
Protocol (NDP) and DHCP messages. When a packet reaches the device and there is not yet an adjacency for the
destination or for the next hop, the NDP consults the device
binding table to verify that the destination on link or the
next-hop have been previously gleaned. If the destination is not found in the binding table, the
packet is dropped. Otherwise, neighbor discovery resolution is performed.

Technical Assistance

Description

Link

The Cisco
Support and Documentation website provides online resources to download
documentation, software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID and password.

Feature Information for IPv6
Destination Guard

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for IPv6
Destination Guard

Feature Name

Releases

Feature
Information

IPv6
Destination Guard

15.2(4)S

15.1(2)SG

Cisco IOS XE Release 3.9S

IOS XE 3.6.0E,
IOS 15.2(2)E

The IPv6
Destination Guard feature blocks data traffic from an unknown source and
filters IPv6 traffic based on the destination address.

In Cisco IOS XE Release 3.9S, support was added for the Cisco
CSR 1000V.

In Cisco IOS XE Release 3.9S, support was added for the Cisco
ASR 1000 Series Routers.